Release Date: Sept. 6, 2022
Note: The release you are looking at is a security bugfix release for the legacy 3.7 series which has now reached end-of-life and is no longer supported. See the downloads page for currently supported versions of Python. The final source-only security fix release for 3.7 was 3.7.17.
The sigstore information for this release was updated on 2023-07-14. The release tarball files were not changed.
Security content in this release
- CVE-2020-10735: converting between int and str in bases other than 2 (binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now raises a ValueError if the number of digits in string form is above a limit to avoid potential denial of service attacks due to the algorithmic complexity.
- gh-87389: http.server: Fix an open redirection vulnerability in the HTTP server when an URI path starts with //.
- gh-93065: Fix contextvars HAMT implementation to handle iteration over deep trees to avoid a potential crash of the interpreter.
- gh-80254: Raise ProgrammingError instead of segfaulting on recursive usage of cursors in sqlite3 converters.
|Gzipped source tarball
|XZ compressed source tarball